Module de.cuioss.http
Package de.cuioss.http.security.pipeline

Class PipelineFactory

java.lang.Object
de.cuioss.http.security.pipeline.PipelineFactory
public final class PipelineFactory extends Object
Factory class for creating HTTP security validation pipelines.

This factory provides centralized creation of all HTTP security validation pipelines with consistent configuration and monitoring. It ensures proper pipeline selection based on the type of HTTP component being validated and provides convenient factory methods for common use cases.

Design Principles

  • Centralized Creation - Single point for pipeline instantiation
  • Type Safety - Compile-time verification of pipeline types
  • Configuration Consistency - Ensures all pipelines use same config
  • Monitoring Integration - Unified event tracking across pipelines

Supported Pipeline Types

  • URL Path Validation - For URL path segments and components
  • URL Parameter Validation - For query parameter values
  • HTTP Header Validation - For header names and values

Usage Examples

 SecurityConfiguration config = SecurityConfiguration.defaults();
 SecurityEventCounter counter = new SecurityEventCounter();

 // Create specific pipeline types
 HttpSecurityValidator pathValidator = PipelineFactory.createUrlPathPipeline(config, counter);
 HttpSecurityValidator paramValidator = PipelineFactory.createUrlParameterPipeline(config, counter);
 HttpSecurityValidator headerNameValidator = PipelineFactory.createHeaderNamePipeline(config, counter);
 HttpSecurityValidator headerValueValidator = PipelineFactory.createHeaderValuePipeline(config, counter);

 // Generic factory method based on validation type
 HttpSecurityValidator validator = PipelineFactory.createPipeline(ValidationType.URL_PATH, config, counter);

Factory Method Benefits

  • Type Safety - Prevents incorrect ValidationType for header pipelines
  • Simplified API - Clear method names for common use cases
  • Future Extensibility - Easy to add new pipeline types
  • Configuration Validation - Ensures proper pipeline setup

Thread Safety

This factory class is stateless and thread-safe. All factory methods can be called concurrently from multiple threads. The created pipelines are also thread-safe and immutable.

Implements: Task P5 from HTTP verification specification
Since:
1.0

  • Method Details

    • createUrlPathPipeline

      public static HttpSecurityValidator createUrlPathPipeline(SecurityConfiguration config, SecurityEventCounter eventCounter)
      Creates a URL path validation pipeline for validating URL path components.

      This pipeline validates URL path segments for security threats including:

      • Path traversal attacks (../)
      • Directory escape attempts
      • Encoded path traversal patterns
      • Suspicious path patterns
      • Invalid URL encoding
      Parameters:
      config - The security configuration to use
      eventCounter - The event counter for tracking security violations
      Returns:
      A configured URL path validation pipeline
      Throws:
      NullPointerException - if config or eventCounter is null

    • createUrlParameterPipeline

      public static HttpSecurityValidator createUrlParameterPipeline(SecurityConfiguration config, SecurityEventCounter eventCounter)
      Creates a URL parameter validation pipeline for validating query parameter values.

      This pipeline validates URL parameter values for HTTP-layer security threats including:

      • XSS attack patterns
      • Path traversal attempts
      • Invalid URL encoding
      • Parameter-based attacks
      • Character encoding attacks
      Parameters:
      config - The security configuration to use
      eventCounter - The event counter for tracking security violations
      Returns:
      A configured URL parameter validation pipeline
      Throws:
      NullPointerException - if config or eventCounter is null

    • createParameterNamePipeline

      public static HttpSecurityValidator createParameterNamePipeline(SecurityConfiguration config, SecurityEventCounter eventCounter)
      Creates a URL parameter name validation pipeline.

      This pipeline validates URL parameter names (query string keys) for:

      • Invalid characters in parameter names
      • Parameter name length limits
      • Encoding and normalization issues
      • Injection attempts

      Parameter names have stricter validation than parameter values since they typically map to internal field names or database columns.

      Parameters:
      config - The security configuration to use
      eventCounter - The event counter for tracking security violations
      Returns:
      A configured URL parameter name validation pipeline
      Throws:
      NullPointerException - if config or eventCounter is null

    • createHeaderNamePipeline

      public static HttpSecurityValidator createHeaderNamePipeline(SecurityConfiguration config, SecurityEventCounter eventCounter)
      Creates an HTTP header name validation pipeline.

      This pipeline validates HTTP header names according to RFC 7230 specifications and checks for:

      • Invalid header name characters
      • Header injection attempts
      • CRLF injection patterns
      • Suspicious header names
      Parameters:
      config - The security configuration to use
      eventCounter - The event counter for tracking security violations
      Returns:
      A configured HTTP header name validation pipeline
      Throws:
      NullPointerException - if config or eventCounter is null

    • createHeaderValuePipeline

      public static HttpSecurityValidator createHeaderValuePipeline(SecurityConfiguration config, SecurityEventCounter eventCounter)
      Creates an HTTP header value validation pipeline.

      This pipeline validates HTTP header values according to RFC 7230 specifications and checks for:

      • Invalid header value characters
      • Header injection attempts
      • CRLF injection patterns
      • Malicious header content
      Parameters:
      config - The security configuration to use
      eventCounter - The event counter for tracking security violations
      Returns:
      A configured HTTP header value validation pipeline
      Throws:
      NullPointerException - if config or eventCounter is null

    • createPipeline

      public static HttpSecurityValidator createPipeline(ValidationType validationType, SecurityConfiguration config, SecurityEventCounter eventCounter)
      Generic factory method that creates the appropriate validation pipeline based on the specified validation type.

      This method provides a unified interface for creating any type of validation pipeline. It's particularly useful when the pipeline type is determined at runtime.

      Supported Validation Types

      • URL_PATH - Creates URLPathValidationPipeline
      • PARAMETER_VALUE - Creates URLParameterValidationPipeline
      • HEADER_NAME - Creates HTTPHeaderValidationPipeline for names
      • HEADER_VALUE - Creates HTTPHeaderValidationPipeline for values
      Parameters:
      validationType - The type of validation pipeline to create
      config - The security configuration to use
      eventCounter - The event counter for tracking security violations
      Returns:
      A configured validation pipeline of the appropriate type
      Throws:
      NullPointerException - if any parameter is null
      IllegalArgumentException - if validationType is not supported or invalid

    • createCommonPipelines

      public static PipelineFactory.PipelineSet createCommonPipelines(SecurityConfiguration config, SecurityEventCounter eventCounter)
      Creates multiple validation pipelines for common HTTP component validation scenarios.

      This convenience method creates a set of commonly used pipelines with shared configuration and monitoring. This is useful for applications that need to validate multiple types of HTTP components.

      Parameters:
      config - The security configuration to use for all pipelines
      eventCounter - The event counter for tracking security violations across all pipelines
      Returns:
      A PipelineFactory.PipelineSet containing commonly used validation pipelines
      Throws:
      NullPointerException - if config or eventCounter is null